Next Page >>
common name
2. Problem description and Impact
=================================
Moxie Marlinspike demonstrated in July 2009 that some CAs would sign
certificates that contain embedded NUL characters in the Common Name or
subjectAltName fields of ITU-T X.509 certificates.
Applications that would treat such X.509 strings as NUL-terminated C
strings (rather than strings that contain an explicit length field)
would only check the part up to and excluding the NUL character, so that
1 net-misc/wget < 1.12 >= 1.12
Description
===========
The vendor reported that Wget does not properly handle Common Name (CN)
fields in X.509 certificates that contain an ASCII NUL (\0) character.
Specifically, the processing of such fields is stopped at the first
occurrence of a NUL character. This type of vulnerability was recently
discovered by Dan Kaminsky and Moxie Marlinspike.
Several vulnerabilities have been discovered in PostgreSQL, a database
server. The Common Vulnerabilities and Exposures project identifies
the following problems:
It was discovered that PostgreSQL did not properly verify the Common
Name attribute in X.509 certificates, enabling attackers to bypass the
(optional) TLS protection on client-server connections, by relying on
a certificate from a trusted CA which contains an embedded NUL byte in
the Common Name (CVE-2009-4034).
Authenticated database users could elevate their privileges by
* The sdump() function might trigger a heap-based buffer overflow
during the escaping of non-printable characters with the high bit set
from an X.509 certificate (CVE-2010-0562).
* The vendor reported that Fetchmail does not properly handle Common
Name (CN) fields in X.509 certificates that contain an ASCII NUL
character. Specifically, the processing of such fields is stopped at
the first occurrence of a NUL character. This type of vulnerability
was recently discovered by Dan Kaminsky and Moxie Marlinspike
(CVE-2009-2666).
with the new NSS.
Details follow:
Richard Moore discovered that NSS would sometimes incorrectly match an SSL
certificate which had a Common Name that used a wildcard followed by a partial
IP address. While it is very unlikely that a Certificate Authority would issue
such a certificate, if an attacker were able to perform a man-in-the-middle
attack, this flaw could be exploited to view sensitive information.
(CVE-2010-3170)
Security issues were identified and fixed in firefox:
Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird
before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9
recognize a wildcard IP address in the subject's Common Name field of
an X.509 certificate, which might allow man-in-the-middle attackers
to spoof arbitrary SSL servers via a crafted certificate issued by
a legitimate Certification Authority (CVE-2010-3170).
The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x
CVE-2009-2408
Dan Kaminsky and Moxie Marlinspike discovered that icedove does not
properly handle a '\0' character in a domain name in the subject's
Common Name (CN) field of an X.509 certificate (MFSA 2009-42).
CVE-2009-2404
Moxie Marlinspike reported a heap overflow vulnerability in the code
that handles regular expressions in certificate names (MFSA 2009-43).
It was discovered that fetchmail, a full-featured remote mail retrieval
and forwarding utility, is vulnerable to the "Null Prefix Attacks Against
SSL/TLS Certificates" recently published at the Blackhat conference.
This allows an attacker to perform undetected man-in-the-middle attacks
via a crafted ITU-T X.509 certificate with an injected null byte in the
subjectAltName or Common Name fields.
Note, as a fetchmail user you should always use strict certificate
validation through either these option combinations:
sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports)
or
Debian bug : 553432
CVE ID : CVE-2009-3767
It was discovered that OpenLDAP, a free implementation of the Lightweight
Directory Access Protocol, when OpenSSL is used, does not properly handle a '\0'
character in a domain name in the subject's Common Name (CN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification Authority.
For the oldstable distribution (etch), this problem has been fixed in version
2.3.30-5+etch3 for openldap2.3.
A vulnerability has been found and corrected in curl:
lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is
used, does not properly handle a '\0' character in a domain name in
the subject's Common Name (CN) field of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2417).
This update provides a solution to this vulnerability.
Problem Description:
A vulnerability has been found and corrected in wget:
GNU Wget before 1.12 does not properly handle a '\0' (NUL) character
in a domain name in the Common Name field of an X.509 certificate,
which allows man-in-the-middle remote attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification
Authority, a related issue to CVE-2009-2408 (CVE-2009-3490).
This update provides a solution to this vulnerability.
Description
===========
The vendor reported that IO::Socket::SSL does not properly handle
Common Name (CN) fields.
Impact
======
A remote attacker might employ a specially crafted certificate to
Impact
======
A remote attacker might employ a specially crafted X.509 certificate
(that for instance contains a NUL character in the Common Name field)
to conduct man-in-the-middle attacks.
Workaround
==========
necessary changes.
Details follow:
Joe Orton discovered that neon did not correctly handle SSL certificates
with zero bytes in the Common Name. A remote attacker could exploit this
to perform a man in the middle attack to view sensitive information or
alter encrypted communications.
Updated packages for Ubuntu 6.06 LTS:
Problem Description:
Multiple vulnerabilities has been found and corrected in irssi:
Irssi before 0.8.15, when SSL is used, does not verify that the server
hostname matches a domain name in the subject's Common Name (CN)
field or a Subject Alternative Name field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof IRC servers via an
arbitrary certificate (CVE-2010-1155).
core/nicklist.c in Irssi before 0.8.15 allows remote attackers to cause
necessary changes.
Details follow:
It was discovered that PostgreSQL did not properly handle certificates with
NULL characters in the Common Name field of X.509 certificates. An attacker
could exploit this to perform a man in the middle attack to view sensitive
information or alter encrypted communications. (CVE-2009-4034)
It was discovered that PostgreSQL did not properly manage session-local
state. A remote authenticated user could exploit this to escalate
to the dba_replace function, an attacker could truncate the database. This
issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, and 8.10. (CVE-2008-7068)
It was discovered that PHP's php_openssl_apply_verification_policy
function did not correctly handle SSL certificates with zero bytes in the
Common Name. A remote attacker could exploit this to perform a man in the
middle attack to view sensitive information or alter encrypted
communications. (CVE-2009-3291)
It was discovered that PHP did not properly handle certain malformed images
when being parsed by the Exif module. A remote attacker could exploit this
Problem Description:
A security vulnerability has been identified and fixed in sendmail:
sendmail before 8.14.4 does not properly handle a '\0' (NUL)
character in a Common Name (CN) field of an X.509 certificate, which
(1) allows man-in-the-middle attackers to spoof arbitrary SSL-based
SMTP servers via a crafted server certificate issued by a legitimate
Certification Authority, and (2) allows remote attackers to bypass
intended access restrictions via a crafted client certificate issued by
a legitimate Certification Authority, a related issue to CVE-2009-2408
necessary changes.
Details follow:
Scott Cantor discovered that Curl did not correctly handle SSL
certificates with zero bytes in the Common Name. A remote attacker could
exploit this to perform a man in the middle attack to view sensitive
information or alter encrypted communications.
Updated packages for Ubuntu 6.06 LTS:
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4565
Description:
Previous versions of sendmail do not properly handle a '\0' character in a
Common Name (CN) field of an X.509 certificate, which could allow attackers
to spoof arbitrary SSL-based SMTP servers or bypass intended access
restrictions via a crafted server certificate issued by a legitimate
Certification Authority.
http://wiki.rpath.com/Advisories:rPSA-2010-0022
Problem Description:
A vulnerability has been found and corrected in fetchmail:
socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
character in a domain name in the subject's Common Name (CN) field
of an X.509 certificate, which allows man-in-the-middle attackers
to spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-2666).
necessary changes.
Details follow:
It was discovered that OpenLDAP did not correctly handle SSL certificates
with zero bytes in the Common Name. A remote attacker could exploit this to
perform a man in the middle attack to view sensitive information or alter
encrypted communications.
Updated packages for Ubuntu 6.06 LTS:
CVE Ids : CVE-2009-2409 CVE-2009-2730
Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of
the TLS/SSL protocol, does not properly handle a '\0' character in a domain name
in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509
certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification
Authority. (CVE-2009-2730)
In addition, with this update, certificates with MD2 hash signatures are no
A vulnerability has been found and corrected in curl:
lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is
used, does not properly handle a '\0' character in a domain name in
the subject's Common Name (CN) field of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2417).
This update provides a solution to this vulnerability.
Debian-specific: no
CVE ID : CVE-2009-4565
Debian bug : 564581
It was discovered that sendmail, a Mail Transport Agent, does not properly handle
a '\0' character in a Common Name (CN) field of an X.509 certificate.
This allows an attacker to spoof arbitrary SSL-based SMTP servers via a crafted server
certificate issued by a legitimate Certification Authority, and to bypass intended
access restrictions via a crafted client certificate issued by a legitimate
Certification Authority.
Problem Description:
A vulnerability has been found and corrected in neon:
neon before 0.28.6, when OpenSSL is used, does not properly handle
a '\0' character in a domain name in the subject's Common Name
(CN) field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408. (CVE-2009-2474)
Problem Description:
A vulnerability has been found and corrected in fetchmail:
socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
(NUL) character in a domain name in the subject's Common Name (CN)
and subjectAlt(ernative)Name fields of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2666).
Problem Description:
A vulnerability has been found and corrected in libneo:
neon before 0.28.6, when OpenSSL is used, does not properly handle a
'\0' (NUL) character in a domain name in the subject's Common Name
(CN) field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408 (CVE-2009-2474).
Problem Description:
Multiple vulnerabilities has been found and corrected in libesmtp:
libESMTP, probably 1.0.4 and earlier, does not properly handle a \'\0\'
(NUL) character in a domain name in the subject's Common Name (CN)
field of an X.509 certificate, which allows man-in-the-middle attackers
to spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2010-1192).
Daniel Stenberg discovered that wget, a network utility to retrieve files from
the Web using http(s) and ftp, is vulnerable to the "Null Prefix Attacks Against
SSL/TLS Certificates" published at the Blackhat conference some time ago. This
allows an attacker to perform undetected man-in-the-middle attacks via a crafted
ITU-T X.509 certificate with an injected null byte in the Common Name field.
For the oldstable distribution (etch), this problem has been fixed in
version 1.10.2-2+etch1.
Next Page>>
|
